I worked at the coal face of a UK computer forensics lab and performed production line forensics - day in day out - welcome to the sausage factory

Tuesday, 5 May 2009

Helix Imaging PC

When we upgrade our Forensic Workstations we cascade the older machines onto administrative and imaging tasks. One particular ex Forensic Workstation had supported a tape drive for a year or two but now was about to become totally redundant. Instead of suffering this fate I decided to dedicate it to running Helix. The box itself is a Supermicro chassis sporting a Supermicro X6-DAL-TG motherboard, twin Xeon Nocona 3.4 ghz processors, 2GB ram and a hot swap drive bay.

Part 1 of the job is done. A little bit of configuration is needed to make the machine more usable in it's main role as an imaging machine. I am not a Linux guru so apologies for the Janet and John approach for those that are. Also my imaging machines are in a secure environment and not normally connected to the internet so I felt relaxing security a little may be OK.

Relaxing Security

System->Administration->Login Window On the Security tab you may wish to enable Automatic Login for the Helix user

Applications->Forensics & IR->Root Terminal

:~# nano /etc/sudoers

Use arrow keys to scroll to end of file then typeHelix ALL=(ALL) NOPASSWD: ALL(presuming helix was the name of the user account you created, if not substitute helix with the name of your account)

Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor. The syntax is critical - if sudoers is messed up your OS may not boot. The reason this is done is that most of the applications we wish to use run at root. However user accounts do not have root privileges. This is overcome by using the sudo command which periodically requires you to enter a password which is a pain. Editing the sudoers file as shown above removes the requirement to enter a password when sudo is used.

By default there are three icons in the panel (like Windows Quick Lauch) on the taskbar at the top of the desktop (Firefox, help and terminal). Right click on Terminal and Remove from Panel.

Access Applications->Forensics & IR->Root Terminal in the menu and right click and select Add to Panel

Imaging Applications

I work in an Encase shop so I am going to concentrate on applications that image to EWF format (aka e.01 files). There are currently two applications installed that do this - Linen and EWFacquire.

Linen

Linen needs some configuration to run from the shortcut Applications->Forensics & IR->Linen. This shortcut (I think the proper linux terminology is launcher) runs a script called sl in /usr/bin. sl needs editing.

Linen should now be launchable via the menu. But in true windows style I created a desktop shortcut by right clicking the Linen menu item and selecting add launcher to desktop.

EWFacquire

EWF Acquire is installed and will run from the root terminal. This program is part of the libewf project. The syntax isewfacquire /dev/sdb

where /dev/sdb is the drive to be imaged. Again I created a desktop shortcut by:

Right clicking on the desktop and selectingCreate Launcher

Change the type to Application in Terminal

Set the name appropriately

In the command box type sudo /usr/bin/ewfacquire /dev/sdb

Click OK

It is probably worth noting that you would not want to launch EWFacquire from the desktop launcher unless you had established the path of each drive by typing fdisk -l into the root terminal.

Guymager

Guymager is another imaging tool that utilises Libewf. It is controlled from a GUI and is a desirable addition to our imaging tools. I intend to do a mini review of it along with steps I have carried out to validate it in a forthcoming blog post. It is not installed on the Helix CDRom but can be installed to our hard disk installation.

Launch a Root Terminal

:~# nano /etc/apt/sources.list

Use arrow keys to scroll to end of file then type deb http://apt.pinguin.lu/i386 ./

Once the process is completed guymager can be launched from a root terminal. Again I created a desktop shortcut by:

Right clicking on the desktop and selectingCreate Launcher

Change the type to Application in Terminal

Set the name appropriately

In the command box type sudo /usr/bin/guymager

Click OK

Guymager utilises a configuration file - guymager.cfg. For my setup I wanted to make some changes. The program advises that changes should be made to local.cfg, however I did not have much success with this. I edited guymager.cfg with nano:

Launch a Root Terminal

:~# nano /etc/guymager/guymager.cfgand modify entries to the following

Language='en'EwfFormat=Encase5EwfCompression=BestEwfSegmentSize=1500

and in the Table LocalDevices area add a new line beneath the line of ------------containing the serial number of the hard disk drive where Helix is installede.g. '1ATA_Maxtor_6B300S0_B605MV0H'The best way to establish the serial no. is probably with Guymager itself.

Although Adepto does not image to EWF files I know some people use it. Some changes need to be made to get it to work.

Launch a File Browser with root permissions by launching a root terminal and typing nautilus

Use the file browser to navigate to /home/helix (helix being the name of the user account I created during the installation routine - if you used another account name navigate to /home/theAccountNameYouUsed )

Right click or use the edit menu to create a folder then name it Adepto

Double click Adepto and create a subfolder within Adepto called Logs

Right click on Logs and Make Link

Right click on the resulting Link to Logs and Cut

Navigate to /usr/local/adepto and paste your link file

Right click on the existing Logs file and delete

Rename Link to logs to logs

Adepto should work now.

Some Networking Stuff

In our lab we image to a file server running Microsoft Windows Server 2003. When I have used the Helix CDs in the past it was always a pain to image to an attached hard drive then transfer the image to the file server later. I wanted the Helix Imager to image direct to our file server and be part of our Windows Workgroup.

where server is your server name, Helix is the name of your Windows share, helix is the name of the linux mount point, user is the name of an account on your Windows server and * is substituted for whatever your password is.

1 comment:

Nice work, I'd thought about installing it previously but had faltered at the first hurdle when the installer crashes and went back to good old SMART Linux with their 'new' Ubuntu flavour.

I've also never bothered creating a new user and adding them to the sudoers file either, I've always figured that no-one is getting in to the box remotely anyway and I ALWAYS forget the sudo bit when I'm working from the terminal, but I know it is good practice not to be logged in as root.

I've never put enough work into mounting Samba shares either, so I will take your tips for that.

I think it's an excellent idea to have a Linux imaging machine in the office too, too many people are just so fully dependent on FTK Imager and EnCase that they have nothing left in their arsenal for the awkward drives that Windows just sometimes won't play with.